Google Home and Chromecast have a serious privacy issue

A serious privacy issue is plaguing Google’s Home and Chromecast devices. Security researchers have found an authentication weakness which when exploited allows these devices to leak your precise location.

The problem basically has its roots in the fact that people have these devices and their smartphone or PCs on the same network. Now, your Google Home or Chromecast does not authenticate requests/connections coming from other devices on your local network, and that’s where the issue is.

To exploit this, Young prepared an attack which asks Google Home/Chromecast for a list of nearby wireless networks. Once the list is received, the victim’s precise location can easily be obtained by feeding the list to Google’s location services.

“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” said Craig Young, the researcher who found the issue.

“The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”

For those who aren’t aware, location information obtained by resolving WiFi netowrks is very precise (as compared to location info obtained through IP addresses), and this is what makes this vulnerability pretty serious.

“Ive been consistently getting locations within about 10 meters of the device.” Young said.

The implication of this vulnerability doesn’t limit to location data leak. As Young says, you can be blackmailed, have extortion campaigns run against yourself. Threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success, he said.

Google initially didn’t pay heed to Young’s findings, but after another security researcher raised the issue with them, the company woke up to the problem, and said it will be fixed in an update coming next month.